Intermittent "504 SSL_do_handshake() failed"

I seem to be having a problem with the secure reverse proxy. I have a
“Synology Disk Station” that hosts Apache virtual servers with one being
an administration web panel, and the other “https://192.168.2.2/photo
being a photo/blogging site.
I have googled around and looked at the NGINX forum and have found no
solution to this problem or as to what is causing it. When I first
launch nginx everything seems to work fine as expected, but after X
amount of time testing (clearing client cache and using other browsers)
I start intermittently getting “502 Bad Gateway” errors from Nginx. Both
Nginx and Synology use a self-signed certificate. I have done a
wireshark packet dump from Nginx and decrypted the packets via the
server’s private key, and the only thing I noticed was 302 Not modified
headers and the SSL Alerts with Key renegotiation.

My network setup can be described as bellow:
192.168.2.2 [Synology (Apache)] <-> 192.168.2.151 [Nginx] <-> External
[Client]

My router is setup to serve only HTTPS 443 connections from my LAN to
external.

Versions:
nginx version: nginx/0.7.65 on Ubuntu 10.04.1 LTS (lucid)
Server version: Apache/2.2.16 (Unix)

[Nginx Config]
server {
listen 443;
ssl on;
server_name home.fractalengine.com;

    ##LOG

access_log /var/log/nginx/localhost.access.log;

    ##SSL Params
    ssl_certificate         ssl/storage.in.crt;
    ssl_certificate_key     ssl/storage.key;
    keepalive_timeout       60;
    ssl_verify_client       off;
    ssl_session_cache       off;

    location / {
            proxy_pass              https://192.168.2.2;
            proxy_next_upstream error timeout invalid_header

http_500 http_502 http_503;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_cache_use_stale error timeout invalid_header
updating http_500 http_502 http_503 http_504;
}

    location /doc {
            root   /usr/share;
            autoindex on;
            allow 127.0.0.1;
            deny all;
    }

    location /images {
            root   /usr/share;
            autoindex on;
    }

[NGINX ERROR Log]
2010/10/22 17:23:24 [error] 5206#0: *501 SSL_do_handshake() failed (SSL:
error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while
SSL handshaking to upstream, client: 69.xx.xxx.x, server:
home.myDomain.com, request: “GET /blog/modules/friend_link.js HTTP/1.1”,
upstream: “https://192.168.2.2:443/blog/modules/friend_link.js”, host:
home.myDomain.com”, referrer:
https://home.myDomain.com/blog/admin_index.php
2010/10/22 17:23:24 [error] 5206#0: *506 SSL_do_handshake() failed (SSL:
error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while
SSL handshaking to upstream, client: 69.xx.xxx.x, server:
home.myDomain.com, request: “GET /blog/modules/label_cloud.js HTTP/1.1”,
upstream: “https://192.168.2.2:443/blog/modules/label_cloud.js”, host:
home.myDomain.com”, referrer:
https://home.myDomain.com/blog/admin_index.php
2010/10/22 17:23:24 [error] 5206#0: *504 SSL_do_handshake() failed (SSL:
error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while
SSL handshaking to upstream, client: 69.xx.xxx.x, server:
home.myDomain.com, request: “GET /blog/modules/statistical_data.js
HTTP/1.1”, upstream:
https://192.168.2.2:443/blog/modules/statistical_data.js”, host:
home.myDomain.com”, referrer:
https://home.myDomain.com/blog/admin_index.php
2010/10/22 17:23:24 [error] 5206#0: *507 SSL_do_handshake() failed (SSL:
error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while
SSL handshaking to upstream, client: 69.xx.xxx.x, server:
home.myDomain.com, request: “GET /blog/modules/recent_article.js
HTTP/1.1”, upstream:
https://192.168.2.2:443/blog/modules/recent_article.js”, host:
home.myDomain.com”, referrer:
https://home.myDomain.com/blog/admin_index.php

Again the weird thing is it stops working after X amount of time
testing. I’m starting to think it has something to do with the
connection timeout from Nginx to Apache?? Or maybe something with the
Cache?

Any help would be greatly appreciated!
Thanks!

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,144108,144108#msg-144108

On Sun, Oct 24, 2010 at 02:23:52PM -0400, terminal wrote:

wireshark packet dump from Nginx and decrypted the packets via the
Versions:
access_log /var/log/nginx/localhost.access.log;
proxy_next_upstream error timeout invalid_header

    }

2010/10/22 17:23:24 [error] 5206#0: *506 SSL_do_handshake() failed (SSL:
HTTP/1.1", upstream:
https://home.myDomain.com/blog/admin_index.php

Again the weird thing is it stops working after X amount of time
testing. I’m starting to think it has something to do with the
connection timeout from Nginx to Apache?? Or maybe something with the
Cache?

Try
proxy_ssl_session_reuse off;


Igor S.
http://sysoev.ru/en/

Wow, that seems to have worked… I didn’t think it would be that simple
of a solution. I will keep testing to make sure.
I guess the problem was reusing the SSL sessions on the backend?

Thanks again for your help, and quick response!

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,144108,144120#msg-144120

A similar problem occurred in my case.
Following is the ssl server configuration.
At first I used AJP.
But after I could not find a corresponding directive to
proxy_ssl_session_reuse, I changed to proxy.

upstream loadbalancer {
server 127.0.0.1:8080;

  keepalive 100;

}

server {
listen 443 default ssl;
ssl on;

    ......

    location / {
        #access_log off;
        #ajp_pass    loadbalancer;
        proxy_pass http://loadbalancer;
        proxy_ssl_session_reuse off;
    }

}

Here’s the error log:
2012/02/08 15:03:49 [info] 13273#0: *1 SSL_do_handshake() failed (SSL:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown) while SSL handshaking,

Any help would be greatly appreciated!
Thanks in advance!

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,144108,222098#msg-222098

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs